Solved: aaa vpn ipsec clients how to see login history on asdm or asa5510

arcolino11 · ‎04-23-2013

hello all, I would like to know how to see the ipsec vpn client users login history, they are authenticating to the local aaa, not to active directory. I am able to see current login session. by going to monitoring\vpn\vpn statistics\sessions this shows me current sessions but I would like to see for example logins for vpn client for the last month. I researched and saw info about aaa server? I checked that section and did not see what I was looking for.

Jatin Katyal · ‎05-02-2013

This is actually a radius server from microsoft called Network policy server (NPS).

The one I used (ACS 5 and ACS 5) that was just an example.

You can review the below listed doc

http://fixingitpro.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Amjad Abdullah · ‎04-23-2013

Hello, I suggest that you move your thread to VPN subforums. They'll help you better there.

You can move the thread using the options on the right pane.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Jatin Katyal · ‎04-24-2013

I think what you're seeing shows the list of online users or logged-in users. The user logged in history can only be seen with the help of accounting. Accounting tracks traffic that passes through the ASA, enabling you to have a record of user activity. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the ASA for the session, the service used, and the duration of each session.

The ASA local database does not support accounting. Your best bet will be a radius server/accounting.

Jatin Katyal
- Do rate helpful posts -

~Jatin

arcolino11 · ‎04-28-2013

jkatyal, yes I see current log in and no history. I think you are right I saw many things saying radius server/accounting is what is needed. if I understand you I see I can not setup radius server/accounting on the firewall my question what are the steps to set radius server/accounting will it give me past history I am guessing no. It will probably be history now and going forward?

Jatin Katyal · ‎04-28-2013

In order to configure radius authentication and accounting, all you need.


ciscoasa#configure terminal
!--- Configure the AAA Server group.
ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
!--- Configure the AAA Server.
ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
!--- Configure the tunnel group to use the new AAA setup.
ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group RAD_SRV_GRP
ciscoasa(config-tunnel-general)# accounting-server-group RAD_SRV_GRP

yes, it will shows you last few weeks/months radius accounting.

In ACS 5.x this is all you need to do to see old radius accounting logs.

Select Monitoring & Reports > Reports > Catalog > report_type, where report_type is the type of report you want to run. Click the radio button next to the report name you want to run, then select one of the options under Run:

•Run for Today—The report you specified is run and the generated results are displayed.

•Run for Yesterday—The report you specified is run using the previous day's values and the generated results are displayed.

•Query and Run—The Run Report screen appears where you can enter parameters to use when generating the report.

Setting up radius server for webvpn users.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml

Hope it helps.

Jatin Katyal
- Do rate helpful posts -

~Jatin

arcolino11 · ‎05-01-2013

Jatin,

for this setup I still have to point to an server on my network? or is this on the asa?

"Select Monitoring & Reports > Reports > Catalog > report_type"

Jatin Katyal · ‎05-01-2013

Yep! You need to point the user authentication / accounting towards a radius server.

Jatin Katyal

- Do rate helpful posts -

~Jatin

arcolino11 · ‎05-01-2013

ok this is where I am so far. I added this command to firewall, I am using local authentication for my ipsec vpn users.

did I still need to setup radius on windows server behind firewall? if so which option do I chose in network policies?

this is what I have so far

ciscoasa(config)# aaa-server RADIUS protocol RADIUS

ciscoasa(config-aaa-server-group)# exit

ciscoasa(config)# aaa-server RADIUS (inside) host 192.168.x.x

ciscoasa(config-aaa-server-host)# key xxxxxx(using x'sfor security)

ciscoasa(config-aaa-server-host)# exit

ciscoasa(config)# aaa-server RADIUS protocol RADIUS

ciscoasa(config-aaa-server-group)# exit

whats the next step?

Jatin Katyal · ‎05-01-2013

you should have a radius server running ACS 4.x or ACS 5.x which should be reachable from ASA firewall.

Once that's done, add the ASA on the radius server as a AAA client.

Try to authenticate radius user account from the ASA by using:

test aaa authentication RADIUS host 192.168.x.x

username: radius-user

password: radius-password

If you see authentication successful message, add the below radius server under tunneln-group like we have mentioned below.

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes

ciscoasa(config-tunnel-general)# authentication-server-group RAD_SRV_GRP

ciscoasa(config-tunnel-general)# accounting-server-group RAD_SRV_GRP

Jatin Katyal

- Do rate helpful posts -

~Jatin

jeff_jones · ‎05-02-2013

where do I install acs4 or acs5 on my radius server? that part I am not getting

so far I put the commands on the firewall

and I am trying to configure the radius and I am not sure how to point it back to the asa/firewall?

Jatin Katyal · ‎05-02-2013

This is actually a radius server from microsoft called Network policy server (NPS).

The one I used (ACS 5 and ACS 5) that was just an example.

You can review the below listed doc

http://fixingitpro.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

Jatin Katyal

- Do rate helpful posts -

~Jatin

arcolino11 · ‎05-02-2013

link is for users authenticating to a/d, my users are authenticating to the local aaa asa.

I am trying to get a clear understanding if this can be done with user authenticating to the local aaa asa/firewall?

according to ciso this can be done, but they do not support setting up radius on windows server. they said there is a way to point it back to the asa but I do not know how to do this?